The Green Sheet Online Edition

October 10, 2011 • Issue 11:10:01

U.S. EMV implementation

By Tim CrannyPanoptic Security Inc.

Visa Inc.'s recent initiative to increase pressure on U.S. issuers, acquirers, processors and merchants to adopt the Europay/MasterCard/Visa (EMV) smart card system (dubbed chip and PIN in the United Kingdom and elsewhere) makes it a good time to look at what EMV is, what it does and what the coming changes mean to all involved.

The first point to make is that EMV is not new; it has a long history in many parts of the world. Rather than being a leader with respect to EMV adoption, the United States has lagged significantly. Hopefully, the upside will be that the U.S. rollout will benefit from other countries' experiences.

Implementing EMV in the United States will require a near-universal infrastructure refresh: new cards issued, new POS terminals deployed, new processor technologies developed and so on. You might ask, Why change at all? What's wrong with the old mag-stripe system?

The bottom line is the old system has significant weaknesses that make certain types of fraud far too easy, and EMV can do a lot to lessen those types of fraud. EMV does not make fraud go away, but it does do a lot to help.

Mag stripe versus EMV

With mag-stripe technology, transaction security breaks down too easily at the authentication stage: the step at which the system tries to verify that the customer on the other end of the transaction really is who he or she claims to be (or at least has the real card), and is not someone who used pilfered data to clone the card or stole the original card.

EMV technology makes authentication more reliable, but there is no point in having processors or payment gateways build a clever-but-complicated system for authenticating customers when there isn't a matching, clever technology at the customer's end: all that does is break things, rather than improve things.

Authentication requires close coordination between the two parties involved, almost like a dance. One side can't unilaterally change the rules or make things 10 times more complicated and still expect that coordination to keep working.

When one side of the transaction (the processor or gateway) has the option of being "smart" or complicated, but the other (the customer) can't reciprocate in kind, only two alternatives exist: both sides can "work dumb" in the interests of cooperation, or they can take steps to make the "dumb" side of the transaction smarter.

In the United States, we've spent the last decade in a rut with the first approach. EMV is all about the second approach: giving the customer technology that makes their end of the conversation "smarter," and therefore allows the entire conversation to suddenly get smarter and better.

The "smart" I'm talking about here has the same meaning as the "smart" in smart card. A smart card has integrated circuits built into it so it can store data and run computations on the card itself, and therefore engage in a complicated back-and-forth with the processor's or the gateway's computers to prove, far more certainly than before, that they are talking to the real card, and not a fake or cloned card.

The technical details get complex fairly quickly. In essence, the back-and-forth is more complicated, but better, because it is different each time (or dynamic) rather than repetitive (or static).

Breaking the EMV logjam

The challenge with EMV hasn't been technical (which is obvious, given that many parts of the world have been using this technology since the end of the last century), but rather business-related.

There's a chicken-and-the-egg problem with this sort of upgrade, where the gateways and processors don't want to spend money to improve infrastructure until the merchants do; similarly, merchants don't want the cost and effort of getting new POS systems until there's a clear signal that it's the smart thing to do for their businesses.

To break this stalemate, someone needs to force the issue and offer everyone carrots and sticks. And that is precisely what Visa is doing. The company is trying to drive the upgrade process in several ways. These include:

Effective October 2012, merchants who process at least 75 percent of their transactions on "dual-interface EMV chip-enabled terminals," already validated their
Payment Card Industry (PCI) Data Security Standard (DSS) compliance in the last year, and were not already in trouble (that is, didn't store sensitive authentication data, or weren't previously involved in a cardholder data breach) can avoid revalidation of their PCI DSS compliance by participating in Visa's Technology Innovation Program.

Liability will shift for domestic and cross-border counterfeit transactions effective October 2015. Thereafter, the party that has not instituted EMV technology to facilitate transactions (that is, either the issuer or the merchant's acquirer) will be financially liable for any resulting card-present counterfeit fraud losses. When a transaction uses chip technology, any liability for counterfeit fraud, though unlikely, will follow current Visa Operating Regulations. In other words, those who are dragging their feet and don't implement EMV technology, get to own any problems that ensue.

It's important to note a few things about the first point. It waives PCI validation (the paperwork) but not compliance: you still have to actually do the right things to get and stay compliant. It's also not clear that this will have much effect in the foreseeable future. MasterCard Worldwide and other card brands have not waived PCI validation as a requirement. It is also unclear when such terminals need to be bought and deployed widely enough to have an impact.

On the upside, Visa didn't say 75 percent of transactions have to actively use EMV; they just need to be done on terminals that can accept EMV cards.

This sort of technical change will require effort and commitment from merchants, issuers and processors, but it has already been shown to have real value in the fight against fraud. If the payment brands do the right things and offer the right incentives, it will hopefully be a relatively smooth, efficient upgrade process that will make the U.S. payments industry safer and more modern.